Bug Bounty Guide: Getting Started

TL;DR

This guide gives you a basic plan for starting in bug bounties. It covers finding programs, scoping your work, doing reconnaissance, testing common vulnerabilities, writing good reports, and staying legal.

1. Finding Bug Bounty Programs

1. Platforms: Start with platforms like HackerOne, Bugcrowd, Intigriti, and Synack. These list many programs in one place.
2. Company Websites: Check the security or vulnerability disclosure pages of companies you use regularly. Many have their own programs.
3. Google Dorking: Use search terms like "vulnerability disclosure program" site:company.com to find hidden programs.

2. Understanding the Scope

1. Read the Rules: This is *crucial*. Each program defines what you can test, what’s out of scope (e.g., denial-of-service attacks), and how to submit reports.
2. In-Scope Assets: Identify exactly which domains, subdomains, applications, and APIs are allowed for testing.
3. Out-of-Scope Items: Pay close attention to what’s *not* permitted. Testing out of scope can get you banned.

3. Reconnaissance (Gathering Information)

1. Subdomain Enumeration: Find all the subdomains associated with a target domain using tools like subfinder or online services like VirusTotal.

   subfinder -d example.com

2. Port Scanning: Identify open ports and running services on in-scope hosts. Use Nmap (be careful not to overload the server!).

   nmap -sV example.com

3. Directory Brute-Forcing: Discover hidden directories and files using tools like Dirbuster or Gobuster.

   gobuster dir -u https://example.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

4. Technology Stack Identification: Determine the technologies used (e.g., web server, programming language, database) using tools like Wappalyzer or builtwith.com.

4. Testing Common Vulnerabilities

1. Cross-Site Scripting (XSS): Try injecting JavaScript code into input fields to see if it executes in the browser.
   Example: <script>alert('XSS')</script>
2. SQL Injection: Attempt to manipulate database queries by entering malicious SQL code into input fields.
   Example: ' OR '1'='1
3. Broken Authentication/Authorization: Test for weak passwords, account enumeration vulnerabilities, and privilege escalation issues.
4. Cross-Site Request Forgery (CSRF): Check if you can trick a user into performing actions without their knowledge.
   Tools like Burp Suite can help automate CSRF testing.
5. Insecure Direct Object References (IDOR): Try accessing resources by manipulating object IDs in URLs or requests.

5. Writing Effective Bug Reports

1. Clear Title: Summarize the vulnerability concisely.
   Example: “XSS Vulnerability on Search Input Field”
2. Detailed Description: Explain the vulnerability in plain language, including its impact and how it can be exploited.
3. Steps to Reproduce: Provide a numbered list of precise steps that anyone can follow to recreate the issue.
4. Proof-of-Concept (PoC): Include screenshots or videos demonstrating the vulnerability.
5. Impact: Explain the potential consequences if the vulnerability is exploited.
   Example: “An attacker could steal user cookies and hijack accounts.”
6. Remediation Advice (Optional): Suggest possible solutions to fix the vulnerability.

6. Staying Legal & Ethical

1. Respect Scope: Never test outside of the defined scope.
2. Do No Harm: Avoid causing any disruption or damage to systems.
3. Confidentiality: Keep vulnerability information confidential until it’s publicly disclosed by the program owner.
4. Follow Responsible Disclosure Practices: Give the company reasonable time to fix the issue before disclosing it publicly (if allowed).